Add libaudit support

------- Comment From <email address hidden> 2015-07-28 21:47 EDT-------
Looks like LOGIN records are also omitted from ausearch (try ausearch -i). That seems to point to a libaudit issue.

Another strange thing is if it try to ltrace aureport or ausearch, it fails with a sigsegv.

------- Comment From <email address hidden> 2015-07-29 14:29 EDT-------
This is not critical to have in 14.04.3 release for 8/06. However, it should go into service stream and must be in 16.04. According to George, it is a security issue in that it will falsely show that no logins took place when the admin specifically looks for them. It could cause an audit noncompliance for a variety of hardening standards (Common Criteria)

The bug is not in aureport or libaudit. aureport looks for AUDIT_USER_LOGIN events in the audit log but we're not generating them in login programs due to libaudit support not being enabled at build time or, in the case of lightdm, missing libaudit support.

Note that we are generating an AUDIT_LOGIN event from the kernel upon login but aureport and friends are looking for AUDIT_USER_LOGIN events from userspace.

This will require changes to a several packages. So far, I've been able to determine that openssh needs to be built with --enable-audit=linux and lightdm needs to be patched to generate AUDIT_USER_LOGIN events. The lightdm pam configs may also need updating for calling out to pam_loginuid.so but I'm not sure if that's required at this point.

The shadow package was recently modified to enable libaudit support (https://launchpad.net/ubuntu/+source/shadow/1:4.1.5.1-1.1ubuntu5) so that change will need to be SRU'ed.

The util-linux source package can generate AUDIT_USER_INFO events from its login program but we're using the login program from the shadow source package. After looking at the util-linux source, I don't see a reason to build it against libaudit at this time.

I've created an upstream lightdm merge request to add login and logout auditing support:

  https://code.launchpad.net/~tyhicks/lightdm/auditing/+merge/269828

I've also submitted the (simple) changes needed in the openssh package to Debian since Colin keeps the Debian and Ubuntu openssh package in sync:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797727

This bug was fixed in the package openssh - 1:6.9p1-2

---------------
openssh (1:6.9p1-2) unstable; urgency=medium

  [ Colin Watson ]
  * mention-ssh-keygen-on-keychange.patch: Move example ssh-keygen
    invocation onto a separate line to make it easier to copy and paste
    (LP: #1491532).

  [ Tyler Hicks ]
  * Build with audit support on Linux (closes: #797727, LP: #1478087).

 -- Colin Watson <email address hidden> Thu, 10 Sep 2015 12:26:11 +0100

This bug was fixed in the package lightdm - 1.16.2-0ubuntu1

---------------
lightdm (1.16.2-0ubuntu1) wily; urgency=medium

  * New upstream release:
    - Fix compile failing without libinput

 -- Robert Ancell <email address hidden> Wed, 16 Sep 2015 14:20:11 -0400

------- Comment From <email address hidden> 2015-11-16 18:17 EDT-------
Because this is a security, we request this fix be included in 14.04 SRU please.

Mathieu, any outlook for this SRU?

Hello bugproxy, or anyone else affected,

Accepted shadow into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shadow/1:4.1.5.1-1ubuntu9.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello bugproxy, or anyone else affected,

Accepted openssh into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

------- Comment From <email address hidden> 2016-01-31 23:04 EDT-------
Verified on Ubuntu14.04.4, this bug is not fixed.

root@monklp1:~# /etc/init.d/auditd status
* auditd is running.

root@monklp1:~# auditctl -e 1
AUDIT_STATUS: enabled=1 flag=1 pid=9417 rate_limit=0 backlog_limit=320 lost=2 backlog=0

root@monklp1:~# grep -i login /var/log/audit/audit.log
type=LOGIN msg=audit(1454295455.634:27): pid=9439 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=1 res=1
type=LOGIN msg=audit(1454295480.786:35): pid=9471 uid=0 old-auid=4294967295 auid=1000 old-ses=4294967295 ses=2 res=1
type=LOGIN msg=audit(1454295524.534:43): pid=9508 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=3 res=1

root@monklp1:~# aureport -l

Login Report
============================================
# date time auid host term exe success event
============================================
<no events of interest were found>

root@monklp1:~# uname -a
Linux monklp1 4.2.0-25-generic #30~14.04.1-Ubuntu SMP Mon Jan 18 16:25:16 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux

root@monklp1:~# dpkg -s auditd
Package: auditd
Status: install ok installed
Priority: extra
Section: admin
Installed-Size: 713
Maintainer: Ubuntu Developers <email address hidden>
Architecture: ppc64el
Source: audit
Version: 1:2.3.2-2ubuntu1
Depends: lsb-base (>= 3.0-6), init-system-helpers (>= 1.13~), libaudit1 (>= 1:2.2.1), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
Suggests: audispd-plugins

Changing the tag 'verification-needed' to 'verification-failed' considering the last comment on the last 14.04 packages.

I'd like to re-validate this for myself before we mark it verification-failed. There really shouldn't be much more than building shadow and openssh with audit support for this to work, so let's take another look.

Marking back to verification-needed.

Verified for shadow: login correctly reports logins.

------- Comment From <email address hidden> 2016-02-02 17:56 EDT-------
Thanks to Tyler and the Canonical crew!

Verified for openssh as well; it now correctly shows entries in aureport -l too.

Attached is a transcript from the two sessions testing shadow and openssh for audit support.

This bug was fixed in the package shadow - 1:4.1.5.1-1ubuntu9.2

---------------
shadow (1:4.1.5.1-1ubuntu9.2) trusty; urgency=medium

  * debian/control, debian/rules: re-enable libaudit support. (LP: #1478087)

 -- Mathieu Trudel-Lapierre <email address hidden> Fri, 22 Jan 2016 11:21:57 -0500

The verification of the Stable Release Update for shadow has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package openssh - 1:6.6p1-2ubuntu2.6

---------------
openssh (1:6.6p1-2ubuntu2.6) trusty; urgency=medium

  * debian/control, debian/rules: enable libaudit support. (LP: #1478087)

openssh (1:6.6p1-2ubuntu2.5) trusty-proposed; urgency=medium

  * Backport upstream reporting of max auth attempts, so that fail2bail
    and similar tools can learn the IP address of brute forcers.
    (LP: #1534340)
    - debian/patches/report-max-auth.patch

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 26 Jan 2016 10:38:35 -0500

Setting the Vivid tasks to Won't Fix since it's been EOL for a little while.